The Crystal Gavel

Publications of Interest

The Crystal Gavel (TM) is CyberLaw’s series of publications dealing with the nexus of future technology and the law. The following sample publications may be of interest to CyberLaw Group clients and anyone wondering what the future may bring as technology continues to evolve and impact society.

FBI vs Apple

Preface

In early August 2017, Apple CEO Tim Cook declared “we obey the laws where we do business,” explaining his decision to adhere to the Chinese government’s demands to remove access to privacy enhancing applications. It was an interesting twist given the vociferous campaign that the company and its allies waged against the U.S. government last year. It’s worth taking a closer look at what really happened in the case of Apple vs. FBI and why it still matters today in the ongoing struggle between privacy and security.

Introduction

An astute observer may have predicted the battle would emerge more than 30 years ago. In 1984, Apple was a relatively new and small company trying to break into a market dominated by IBM. They threw down the gauntlet with the most famous Superbowl commercial in history, portraying Apple as the champion of the people who are oppressed in an Orwellian version of society.[1] The message that Apple’s technology empowers individual freedom continues to this day even, though the company now dwarfs its competitors.

The new plot line involved the United States government, represented by the Federal Bureau of Investigation, attempting to strong-arm Apple into becoming an unwilling accomplice in the rise of the police state the company has warned about. The issue rose to national prominence in early 2016, when following a domestic terrorist attack in California, the FBI sought to compel Apple’s assistance in accessing the attacker’s Iphone. The two sides geared up for a massive legal battle, but the matter resolved itself when the FBI found an alternative method to access the data they sought. The fanfare regarding the particular case died down, but the underlying controversy remains unsettled.

The question remains - whether or not the government can force a cell phone manufacturer to provide assistance in bypassing its own security measures to access information on the device. To find an answer, one can either conduct a detailed analysis of case law to predict an outcome, or consider the broader policy implications as augury of the result.

Because many of the legal arguments pertain to the specific controversy, the detailed review of the pleadings of last year’s case will be covered in the second part of this article. Today’s focus is on the underlying policy issues that ultimately must prevail as society decides how to adapt to the new reality of widely available strong encryption technologies that can defeat valid search warrants. Two overall contexts are considered – the classic struggle between liberty and security, and the emerging tension in the power dynamic between the nation-state and the individual based on technological developments.

At its core, the question behind the clash of the titans was what should happen when a private company’s encryption prevents the government from accessing information which it has a legal warrant to obtain. The sense of urgency put forth by many of Apple’s supporters was well founded, but for reasons opposite to their ultimate positions. Indeed, the world stands at fateful crossroads. The path must be carefully chosen and we are fortunate to have the wisdom of our nation’s founders to guide us.

A detailed review of legal pleadings for the case, as presented by the parties and their amici provide insight on how future cases on unbreakable encryption will be handled. As advance warning, this discussion is oriented particularly towards lawyers and those with an interest in the intersection between law and technology.

The theme of the government’s case was that “Apple is not above the law” and compliance with the order was a far cry from being “the end of privacy.”[2] It was a result of Apple’s attempt to “design and market its products to allow technology, rather than the law, to control access to data.”[3]

Apple’s overall strategy was to paint the issue as a political question instead of a legal one and insist that Congress is the branch empowered to update laws to adapt to new technologies.[4] If Apple’s assistance had actually been required, their strongest argument may have been the lack of precedent for forcing a company to develop software.[5] While the government points to other cases, the scale and scope of the activity seem to be notably different and a judge may agree that this request goes too far. On the other hand, the evolution of technology means new types of requests are inevitable, so even if coding of this nature has not been compelled to date, it still could be upheld.

While the alternate approach to gain access to the data on the phone meant the case was no longer ripe for adjudication, the record provides a rich source of data to analyze the potential outcome. More importantly, it is almost certain that another case involving similar issues will soon arise, when a third way out does not present itself.

Round One - The FBI’s Motion to Compel and Apple’s Motion to Vacate.

The FBI’s Case.

The FBI’s case rested on two pillars. First, the search of the phone was properly authorized through a search warrant obtained within the scope of the Fourth Amendment. Second, the necessary assistance was properly compelled under the provisions of the All Writs Act because the warrant would otherwise be a meaningless ineffective document.

As the facts of the case clearly showed compliance with the Fourth Amendment, the All Writs Act quickly became the central focus of the issue. The Act provides a mechanism to order third parties to assist the government in execution of warrants. Given the prominent role of the Act, the government’s description of its role is provided here in full:

The All Writs Act provides in relevant part that “all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” 28 U.S.C. $ 1651 (a). As the Supreme Courtexplained, “[t]he All Writs Act is a residual source of authority to issue writs that are not otherwise covered by statute.” Pennsylvania Bureau of Correction v. United States Marshalls Service. 474 U.S. 34, 43 (1985). Pursuant to the All Writs Act, the Court has the power, “in aid of a valid warrant, to order a third party to provide nonburdensome technical assistance to law enforcement officers.” Plum Creek Lumber Co. v. Hutton, 608 F. 2d 1283, 1289 (9th Cir. 1979) (citing United States v. New York Telephone Co., 434 U.S. 159 (1977)). The All Writs Act permits a court, in its “sound judgment,” to issue orders necessary “to achieve the rationale ends of law” and “the ends of justice entrusted to it.” New York Telephone Co., 434 U.S. at 172-173 (citations and internal quotation marks omitted). Courts may apply the All Writs Act “flexibly in conformity with these principles. Id. at 173; accord United States v. Catoggio, 698 F. 3d 64, 67 (2d Cir. 2012) (“[C]ourts have significant flexibility in exercising their authority under the Act.”) [6]

New York Telephone is the seminal case for application of the Act. In that case, the Supreme Court provided three factors for considering when the Act could lawfully be applied to compel assistance from a third party company to assist law enforcement in executing a search warrant.[7] First, was the company “so far removed from the underlying controversy that its assistance could not be permissibly compelled.”[8] Second, would the order place an “undue burden” on the company.[9] Third, was assistance necessary to achieve the purpose of the warrant. [10]

The government argued all three factors were met. First, the company was not far removed from the matter. “Apple designed its software and the design interferes with the execution of search warrants…it manufactured and sold the phone used by an ISIL-inspired terrorist… it owns and licensed the software used to further the criminal enterprise…it retains exclusive control over the source code necessary to modify and install the software.”[11] Clearly, Apple was not “a random entity summoned off the street to offer assistance.”[12]

Second, because writing software updates and patches was a regular part of Apple’s business and they could request reasonable reimbursement expenses, it was not an unreasonable burden for them to develop code to modify the operating system. [13] The government also argued that the requested software was not unreasonably challenging to write and Apple had tacitly acknowledged its ability to do so.[14]

Importantly, the government contended that compliance with the court order in this one case did not constitute a threat to other users of Apple products. [15] They suggested Apple could take possession of the device at its own secure location, have complete control over whatever software was developed and ensure it was not released into the wild.[16] Therefore, it would not be “the equivalent of a master key, capable of opening hundreds of millions of locks.”[17]

The government insisted the burden should be measured based on the direct costs and not include more general considerations about reputation or ramifications of compliance.[18] This meant speculative policy concerns regarding possible consequences should hold little weight in the outcome. [19]

The government implied Apple’s refusal was tied to its public brand marketing strategy. FBI noted that Apple’s statement on its web page: “Our commitment to customer privacy doesn’t stop because of a government information request…Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS8.” [20]

For the third prong of the test, the government asserted the assistance was necessary because technicians from FBI and Apple agreed they were unable to identify any other feasible methods to gain access to the device.[21] Apple’s control over the source code that created the obstacles meant no other party had the ability to assist the government in preventing their security features from obstructing the search.[22]

Finally, the government agued it was appropriate to rely on the All Writs Act in this case because “no statute addresses the procedures for requiring Apple to extract data from a passcode locked iPhone” and the “absence of a specific statute cannot be read as a decision to limit existing authority.”[23] The Communications Assistance to Law Enforcement Act (CALEA) did not apply because Apple was not a telecommunications carrier and the order concerned access to stored data instead of real-time interception and call identifying information (data “in motion”). [24] The government acknowledged the All Writs Act would not apply where a statute specifically addresses an issue, but the lack of congressional action on encryption was not a restriction here because the Supreme Court has repeatedly cautioned “Congressional inaction lacks persuasive significance.” [25]

Apple’s case

On February 16, Apple went public with a “Message to Our Customers” posted on their website. Their call to arms was answered by a star-studded list of supporters who filed amici briefs, including some of the world’s largest technology companies (e.g. AT&T, Amazon, Cisco, Facebook, Google, Intel, and Microsoft) and privacy advocate groups (e.g. EPIC, Human Rights Watch, ACLU, Center for Democracy and Technology). Dozens of law professors, cryptographers, and even the United Nations Special Rapporteur on Promotion and Protection of the Right to Freedom of Opinion and Expression supported Apple’s stance.

The opening paragraph of Apple’s opposition was not a mere shot across the bow; it was a declaration of “total war”:

This is not a case about one isolated iPhone. Rather, this case is about the Department of Justice and the FBI seeking through the courts a dangerous power that Congress and the American people have withheld: the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe. The government demands that Apple create a back door to defeat the encryption on the iPhone, making its user’s most confidential and personal information vulnerable to hackers, identify thieves, hostile foreign agents, and unwarranted government surveillance. [26]

Apple’s assault continued with the assertion that “no court has ever authorized what the government now seeks, no law supports such unlimited and sweeping use of the judicial process, and the Constitution forbids it.”[27]

Apple set the stage by recalling the data breach of the federal government’s Office of Personnel and Management that affected 22 million people, as an example of the daily siege of cyber threats facing the nation.[28] They explained that starting with iOS8, additional security features had been added to protect customers from cyber attacks, but now the government sought to “roll back” those protections. [29] This was of additional concern because the government tactics “invoked terrorism” and attempted to cut off debate and analysis in ex parte proceedings behind closed court doors.[30] Apple said they believed the government wanted a “crippled and insecure product…too dangerous to build” because the process would provide “an avenue for criminals and foreign agents to access millions of iPhones.”[31]

To prove this was not just an isolated event, Apple noted there were multiple other similar applications already pending, including over a hundred each in New York and California alone. [32]The company warned that once the floodgates opened, there might be no limits on future government orders:

[W]hat is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone’s user? Nothing.[33]

To make matters worse, while the average American citizens would end up prisoners of a surveillance state described above, actual criminals and terrorists would just be driven further underground and use encryption provided by foreign companies that could not be conscripted into service.[34]

Moving beyond the hyperbole, the central point of Apple’s argument emerged that the All Writs Act is limited to being a gap-filler and the government was trying to unjustly apply it. Apple noted a holding within the controlling circuit that “squarely rejected the notion ‘the district court has such wide-ranging inherent powers that it can impose a duty on a private party when Congress has failed to impose one.”[35] Apple also noted the Supreme Court’s ruling in Pa. Bureau of Corr. V. U.S. Marshals Service, 474 U.S. 34 (1985) that the All Writs Act “ does not authorize [courts] to issue ad hoc writs whenever compliance with statutory procedures appears inconvenient or less appropriate.”[36]

Apple challenged application of the All Writs Act’s three factor test, stating the current case is nothing like the New York Telephone case and its progeny.[37] In New York Telephone, there was probable cause the company’s facilities were being used in an ongoing criminal enterprise, but here the terrorists using the iPhone had been killed two months earlier. Further, Apple is private company, not a “highly regulated public utility” with “a monopoly in an essential area of communications.”[38]

A judge would likely find these arguments fall short for two reasons. First, the iPhone capabilities would equate to a room full of computers housed by the phone company in 1977 when that case was decided, and there may indeed have been a connection to other potential planned terrorist activity on the device. Second, the All Writs Act is not limited to public utilities and it can be argued that Apple’s dominant role in the market exceeds the power the phone company monopolies once held.

Apple’s next argument was that the fact they designed, manufactured, and sold the device, and wrote and owned the software, did not make them sufficiently close to the matter because this would mean merely placing a good into the stream of commerce would implicate the All Writs Act.[39]

A judge would likely not agree with Apple’s contention that requiring their involvement would eliminate any limits on the remoteness factor. Apple denied any significance to the fact the software is licensed instead of sold, but when combined with their total control over the source code, it should be clear this company’s relationship to their products is not the same as any simple manufacturer who makes a sale and then remains connected only in terms of warranties.

Turning to the second factor, Apple claimed the burden on them would be excessive because the requested software does not exist and would require significant resources to develop. Apple defined the task to require six to ten engineers dedicating a very substantial portion of their time for two to four weeks. They would need to prepare detailed documentation for using the software, follow quality assurance and security protocols, test the software on multiple devices before deployment, and de-bug and patch fixes as necessary to ensure it worked.[40]

More importantly, Apple said doing what the government wants “destroys the security features that Apple has spent years building” and would threaten the data privacy of hundreds of millions of iPhone users around the globe.[41] Apple noted that if it complied in this case, there would be hundreds of other requests seeking the same type of support, including from foreign governments.[42] The newly created code would be at great risk from hackers, criminals, and terrorists who would seek to exploit it for nefarious purposes. Further, these technologically sophisticated bad actors would still use other encryption technologies beyond what would be bypassed.[43]

A judge would likely find all of these arguments make the flawed assumption that unlocking this one phone would result in wide scale proliferation of the ability to unlock other iPhones. Apple has clearly proven itself able to keep its source code protected and the formula for Coca Cola has remained secret for over 100 years, so there is no reason to assume that just because something is valuable it can’t be kept secure. Additionally, each future request for assistance from the United States or other governments would need to be adjudicated on the merits of the particular facts of the individual cases.

Apple argued this case could be a dangerous precedent for use of the All Writs Act in other circumstances, such as compelling a drug company to make lethal injections, newspapers planting false stories, or malicious code insertion to enable surveillance.[44]

A judge would likely find these fanciful leaps irrelevant to the proceedings at hand. Obviously, any such requests would need to be dealt with in their own rights and first need to comply with existing Constitutional norms before they could even be initiated.

Finally, in what turned out to be the death-knell for this particular case, Apple argued that the third prong of the test was not met because the government did not demonstrate the company’s assistance was necessary.[45] Apple noted they initially responded immediately and devoted substantial resources on a 24/7 basis to support the investigation. [46] Without consulting Apple, FBI changed the iCloud password associated with one of the attacker’s accounts. If that had not been done, it is possible an iCloud back-up could have been created and it wouldn’t have been necessary to unlock the phone.[47]

Apple suggested that other federal agencies with digital forensic expertise should have been consulted, especially within the intelligence community. [48] It later turned out that another company was able to help the FBI gain access to the device, so the government no longer had justification for use of the All Writs Act. This issue won’t resurface as long as there are other avenues available, but given the rapidly evolving world of cryptography, it is likely that another insurmountable barrier will soon present itself. Thus, focused attention on other aspects of the dispute, as detailed in this paper, is still well deserved.

Regardless of the outcome of the three facto test, Apple argued the All Writs Act was not lawful because CALEA was on point and therefore precluded its use.[49] Apple explained that CALEA specifies there is no obligation for a company to assist the government in decryption of communications when the company does not retain a copy of the decryption key.[50] Further, there is no requirement for “information service providers” such as Apple to provide this type of support, and Apple contends Congress intentionally made this exclusion. [51] Lastly, under CALEA the government cannot dictate specific equipment designs or software configurations to providers of electronic communication services or manufactures of telecommunications equipment. Apple contended it is a provider of “electronic communication services” and therefore would be governed by this rule.[52]

Apple argued that the executive branch’s decision to abandon efforts to update CALEA in 2015, sent a strong signal, along with current proposals in Congress that would prohibit forcing private companies like Apple to compromise data security.[53]

Moving beyond whether or not the All Writs Act was applicable, Apple also argued the order would violate the First Amendment by compelling speech and viewpoint discrimination because computer code is treated as speech.[54] The Supreme Court has ruled such action can only be upheld if narrowly tailored to obtain a compelling state interest and Apple asserted that standard was not met here.[55] Apple recognized the importance of investigating and prosecuting terrorists, but maintained that in this case there was only “speculation that this iPhone might contain potentially relevant information.” [56] Apple suggested that based on the ISIL’s familiarity with secure communications, it was likely there were additional layers of encryption that would continue to frustrate the government even if Apple helped.[57] Additionally, Apple noted that producing the new software would effectively be forcing the company to advance a viewpoint contrary to their stated position on the subject.[58]

Lastly, Apple argued that the due process clause of the Fifth Amendment protected them against being arbitrarily deprived of liberty and forced to act by the government.[59] The government obtained the initial order without notice to Apple and without allowing Apple an opportunity to be heard.[60]

Round Two – The Counter-arguments and The Amici briefs.

The government reply tried to emphasize the specific facts of this one case, while accusing Apple of obfuscation: “…Apple attacked the All Writs Act as archaic, the Court’s order as leading to a “police state,” and the FBI’s investigation as shoddy, while extolling itself as the primary guardian of American’s privacy.”[61] They highlighted Apple’s concession of being technically capable of compliance and the absurd notion that a couple of man-months of labor would be burdensome for a company of 100,000 employees and hundreds of billions in annual income.[62] The order itself would apply to a single device and raised no Fourth Amendment privacy concerns regarding the content sought.[63]

To counter Apple’s efforts to characterize the All Writs Act as “an obscure law dredged up by the government to achieve unprecedented power,” the government argued the Act was “a vital part of legal system regularly invoked in a variety of contexts.”[64] It was enacted by the First Congress as part of the Judiciary Act of 1789 and is a foundational law that pre-dates the Bill of Rights. In 1948, the Supreme Court described it as “a legislatively approved source of procedural instruments designed to achieve the rationale ends of law.”[65] The government contended that Act was specifically intended to give courts ability to adapt to new problems, such as the one presented by Apple, to ensure justice is done.[66]

The government noted many of Apple’s arguments were raised in the New York Telephone case and dismissed by the Supreme Court 40 years ago.[67] Significantly, the Act is self-limiting because it can only be invoked in aid of a court’s existing jurisdiction and the three-factor analysis eliminates concerns that random citizens will be forcibly deputized.[68]

In terms of the applicability of the Act being precluded by CALEA, the government argued again that Congressional inaction lacks persuasive significance because the proposed changes were neither enacted nor rejected, but simply not acted upon.[69] All Writs Act is controlling unless a statute specifically addresses the particular issue at hand, and in order to occupy the field “Congress must legislate so intricately as to leave no gap to fill.”[70]

The government argued CALEA analysis must be performed on individual components, instead of the entity as a whole, when an entity provides multiple kinds of services. CALEA addresses various categories but “with regard to the development and control of the iOS Apple is not a provider of wire or electronic communication services, but a software developer and licensor.”[71] Apple’s FaceTime and iMessagemay qualify as electronic communication services, but the court’s order did not pertain to those aspects.[72] Finally, Apple is not an “equipment manufacturer” as defined in CALEA since that term means transmission and switching equipment, not end-user phones.

Turning to the analysis of the three factors, the government claimed Apple failed to show the burden placed upon it would be undue, unreasonable, and non-compensable.[73] They pointed out writing software was not a “per se” undue burden and that Apple’s 2015 income exceeded the operating budget of the State of California and the GDP of two thirds of the nations of the world.[74] The burden was lightened because the FBI was not seeking Apple’s source code and the software to be developed would not need to be consumer ready.[75]

The government attempted to distinguish the controversy from an earlier one Apple cited as an example for restricting the reach of the All Writs Act. They argued that in that case (Plum Creek Lumber Co. v. Hutton, 608F. 2 1283 (9th Cir. 1979), the Act was not justified by the risks imposed because the government was seeking only to increase the efficiency of an investigation, where here it was a question of whether the investigation could proceed at all.[76]

In addition, the government argued it was only speculation that Apple would subsequently have to use the same technique to help totalitarian regimes suppress dissidents around the globe or that “hackers, criminals, and foreign agents” would subsequently have access to data on millions iPhones.[77] Widely publicized incidents involve breaches of network security, but the bypass method in this case would require physical access to the device.[78] Apple has proven capable of protecting its source code, and there is no reason it could not provide the same level of protection for this technique, so it would be safe to argue the code would never leave Apple’s possession.[79]

The government provided responses to Apple’s speculation there would not be any benefit to removing iPhone barriers because criminals and terrorists will encrypt their data in other ways.[80]First, the government may be able to break any additional layers of encryption if they did exist.[81] Second, even if there was some point in the future where unlocking iPhones was no longer of value due to secondary encryption, it is still valuable today.[82]

In an important analogy describing the technical aspects of this challenge, the government argued what they requested was more like disarming a booby trap affixed to one door instead of a crafting a master key that could fall into the wrong hands.[83] The requested code could be developed to leverage the unique ID associated with each iPhone and incorporated into its operating system, so that it could load and execute only on the one device.[84] With this approach, the software would lack a valid digital signature if it were modified to work on other device, so it was disingenuous to extrapolate the threat to all iPhone users.[85]

The government also challenged the impact on foreign states as part of Apple’s efforts“accumulating hypothetical future burdens.”[86] According to Apple’s own information, China demanded information on over 4,000 phones in the first half of 2015 and Apple produced data 74% of the time.[87] An internal U.S. court order does not change how foreign governments interact with Apple.[88] It would not have legal meaning in terms of whether or not Apple would need to comply with foreign government requests made under different circumstances.[89] The lawful process in America should not be confined by potential lawless oppression elsewhere.

Lastly, the government responded that their request would not violate either the First or Fifth Amendments. Even if considered compelled speech, such requirements are common in both criminal and civil justice systems, such as in grand jury and trial subpoenas, interrogatories and depositions.[90] Additionally, the software would only be seen by Apple and while coding includes expression at some level, there is some doubt that functional programming is entitled to traditional speech protections.[91] The expressive elements of Apple’s software would be unlimited, as long as it functioned.[92] Finally, the order was compelling conduct with incidental effect on speech, which had previously been ruled permissible.[93]

Given the scope of the court proceedings underway, it seemed as if little was needed to debunk the lack of due process, other than to point out there was no due process right to not develop software and “Apple was availing itself of the considerable process the legal system provides.”[94]

One of the main issues of contention between the parties was that the FBI argued the case should be decided on its facts, while Apple proposed the court address broad questions of whether the company should be required to provide the government the ability to unlock every iPhone. [95] The government asserted that the limits Apple sought were already found in the law and those authorities should be entrusted to strike the balance between each citizen’s right to privacy and all citizen’s right to safety and justice.[96] For example, in the case of Riley v California. 134 S. Ct. 2473 (2014), the Supreme Court made a careful consideration of smart phone technology and its role in society and stuck an “appropriate balance between privacy concerns and investigative needs” by requiring search warrants to access data on the devices rather than simply permitting access as part of searches incident to arrest.[97]

Apple’s Final Words

Apple continued to maintain the government had misconceived the All Writs Act and its purpose. Several additional cases were cited, but the essence of the argument on both sides was unchanged.[98] This is a matter a judge would need to decide, but they would likely find software development to be a novel but reasonable application of the Act.

In revisiting CALEA, Apple went into further detail to highlight the FaceTime, iMessage and Mail applications were electronic communications and this qualified the company as an “information service provider.”[99] The key argument remained whether CALEA could be read to directly apply, or was intended to fully occupy the field, and thus pre-empted use of the All Writs Act. Again, it would fall to a judge to make a ruling as to how strong an indicator of intent Congress had provided. Because the outcome of the ruling in favor of Apple would mean a huge increase in unexecutable warrants across the country, it is likely the judge could interpret this issue as outside the scope of CALEA. It becomes a policy issue, as covered in more detail in the other section of this article.

Apple once again ran through the three factor test of New York Telephone, providing additional case law but no notable substance that could alter the outcome.[100] Their strongest new argument was to explain that previous compelled “programming” the government cited from cases in 1979 and 1980 simply involved use of a teletypewriter or took less than a minute to complete.[101]

The remainder of Apple’s brief challenged the government on the same grounds as earlier, attempting to rebut each point raised, but leaving the reader with nothing more than a clear understanding that there are two ways to characterize the issues.

In conclusion, Apple called upon one of the foundational leaders of privacy law, citing Justice Louis Brandeis’s comments on advances of science beyond wiretapping almost 100 years ago. Brandeis warned that the “greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding.”[102] While those words do indeed show a need for caution, it is hard to imagine Brandeis, who also famously remarked “sunlight is said to be the best of disinfectants,” would support a world filled with indiscriminate shielding of information from valid search warrants.

Amici

The government’s amici attempted to balance the theoretical concerns presented by Apple with actual costs that would ensue from non-compliance. The Federal Law Enforcement Association noted that crimes would go unsolved and criminals would go free.[103] They explained that major police departments are finding up to 50% of phones inaccessible and provided specific examples of cases of human trafficking, pedophiles, child pornography, homicide convictions and exoneration of innocent, cybercrime, and identify theft.[104] In addition, they provided a somber reminder that it is not just investigation, but also crime prevention that is hindered by inaccessible encrypted data. In November 2015, cell phone data was reportedly used to track down the ringleader of the Paris attack that killed 89 people, while he was in the process of planning another attack in Europe. [105] If the data had been hidden behind unbreakable encryption, it could not have been used to thwart this imminent threat.

The San Bernadino District Attorney (DA) addressed a different angle, arguing Apple was making de facto decision on who could be charged with a crime and giving de facto immunity to iPhone users.[106] This infringed on authority of the District Attorney to make charging and immunity decisions and impacted the due process rights of victims to have all relevant evidence admitted in a criminal proceeding.[107]

The DA aptly noted “No one has appointed or elected Apple to be the Orwellian arbiter or definer of privacy for society…” and the proposed concept of absolute privacy and immunity from search was not supported by the Constitution.[108] They noted that when a company introduces a dangerous product they are required to fix it, and when a company creates environmental damage they must clean it up. [109] In the same vein, it made sense for Apple to be required to remediate the problem they created, which did not exist in their previous operating systems.[110]

Apple’s amici continued their theme of amplifying the crisis. The proposed court order was portrayed to be “devastating for cybersecurity” and an action that would “undermine American and global trust in software security updates, with catastrophic consequences for digital security and privacy.”[111] They warned that “deliberately compromised digital security would undermine human rights around the globe.”[112]

But other than providing an impressive list of corporate names in their camp, the technology company briefs did not do much to help Apple’s case. AT&T’s brief acknowledged that “of course” the government should have access to the critical evidence in the terrorist attack, but questioned whether the All Writs Act was appropriate instead of new legislation.[113] AT&T called for a new legislative solution because “communications services have changed dramatically” and “personal data are largely controlled by device, search, operating system, application, and social media companies that barely existed when CALEA was passed.”[114]

Intel’s brief attempted to shed light on the CALEA question, but their information reinforced the impression that the decision could go either way.[115] On the other hand the brief written by “several of the most popular communications, networking, ecommerce, publishing, and commercial transaction platforms on the Internet” contended that existing statutes (Federal Wiretap Act, Stored Communications Act, Foreign Intelligence Surveillance Act, and CALEA) provided a “comprehensive regulatory scheme” that left no gaps for the All Writs Act to fill.[116] This group went so far as to warn of a “potential erosion of consumer trust” that “undermines the entire Internet and technology industry, which has been a source of dynamic innovation and job creation in the U.S. economy.”[117]

Another brief expanded on this economic doom theory by noting the “enormous burden” that would be imposed on software developers if the government had its way.[118] “Massive expenditures of time and resources” could be demanded from any company, which would be “particularly onerous on small companies…that are the ‘heart of the mobile economy.’”[119] Apparently this team forgot about the All Writs Act’s three factor test that would limit any such requests based on their imposed burdens.

The Electronic Privacy Information Center (EPIC) provided an interesting argument that avoided any discussion of the All Writs Act or constitutional protections. Instead, EPIC built a case that the short term benefit to the FBI would be outweighed by an increase in nationwide crime that would result from weakened safeguards in iPhone security.[120] Cell phones are a primary target for criminals and identity thieves and the issue is a top priority for law enforcement in most major cities.[121] For example, almost half the robberies in New York City involved cell phones. [122] Ten percent of phone thefts later lead to identity theft. Anti-theft software could save over $3 billion per year, and in fact, the Federal Communications Commission reported a sharp decline in Apple iPhone thefts following their use of new security features.[123] The security features that would be overcome by the court order are exactly the type law enforcement has been advocating for.[124]

Given EPIC’s expertise on the subject, one might find what was not contained in EPIC’s brief more telling. Citing only a single case, it was not really a legal brief at all but, just an appeal to carefully perform a cost benefit analysis. Considering the costs are hypothetical based on the assumption the single instance would translate into universal defeat of Apple’s security, their argument does not hold much weight. Of course law enforcement supports wide-spread use of the security measures to deter theft. But this does not mean those security procedures must preclude the ability to comply with a lawful search warrant.

EPIC noted that the Supreme Court found cell phones deserve special Constitutional protections because they contain so much sensitive data.[125] Unlike many of their fellow amici, perhaps EPIC realized that those protections had already afforded in this case, so they chose to present a less alarmist argument.

A group of computer security experts advanced an interesting proposition that the court order could undermine public trust in automatic software updates due to fears of future surreptitious forced enabling of government surveillance.[126] As a result, software patches would be less effective and the public less secure. They further explained that even if this one tool was intended to remain in safe hands, software inevitably has bugs that can be exploited. [127] In fact, Apple has been battling against “jailbreakers” who exploit vulnerabilities in their software for years, and this would heighten the stakes in that struggle.[128] Finally, governments with poor human rights records, such as China, Russia and Turkey would make use of the technique and the corruption and poor security practices of these regimes would further increase the risk of inadvertent release.[129]

A group of law professors provided a surprisingly one-sided view, implying the court order would discourage creativity and innovation.[130] The professors raised issues of inadequate due-process during the initial stages and expiration of the original warrant’s authority, but these are administrative technicalities based on how the case developed. The bulk of their argument was that CALEA and ECPA “cover the field” and therefore left no room for the All Writs Act. Most significantly, they pointed to a provision within CALEA that provides for expanding its coverage, but even this would be limited to only certain content (email or iMessages) so the outcome of this aspect of the controversy remains uncertain.[131] They clearly went too far when warning against “giving the government defacto control over technical design while permanently converting Apple and other private companies into state actors.”[132] This was far more than what the government sought and ignores the fact Apple and it’s like already have full time law enforcement support teams.

The Electronic Frontier Foundation argued that the court order would violate the First Amendment by placing a significant burden on Apple’s free speech rights, particularly emphasizing the significance of the software’s digital signature code.[133] The digital signature communicates authenticity and trust so that Apple’s signature is an endorsement and seal of approval, but this would be exactly the opposite of the message Apple wished to send.[134] It would be one of the most onerous examples of compelled speech - forced hypocrisy.[135] But it is also an argument that can’t go very far because the government is not forcing Apple to digitally sign the requested code. Apple’s own protocols require it, and if they truly wished to avoid a digital signature they could develop a work around that did not require it.

Another brief also focused on the First Amendment, raising the alarming premise that the court order represented a threat to independence of the free press.[136] But this brief later admitted there may be cases where the government can indeed compel a company to write software, when there is a specific compelling interest undertaken in a narrowly tailored fashion. [137]

Human Rights Watch and Privacy International noted security features such as encryption are integral to the protection of civil and human rights.[138] While this may be true in many parts of the world, the U.S. has been at the vanguard for these movements for hundreds of years without any need for reliance on such technologies. This concern is actually more oriented towards other countries, which may see a ruling against Apple as a green light to use the requested technique to “stifle expression, crush dissent, and facilitate arbitrary arrest and torture.”[139] But the fears may already be reality, because there is no reason for such countries to wait for a U.S. precedent. For example, Russia and China already have the power to compel technology companies to assist law enforcement upon request.[140]

The ACLU argued the proposed application of the All Writs Act would violate Fifth Amendment due process protections against arbitrary action of government, noting there are Constitutional limits to the assistance that law enforcement may compel from third parties.[141] The group resurfaced criticisms against “writs of assistance” from the Colonial era and warned that the security of all Apple’s users would inevitably be weakened.[142]

The Center for Democracy and Technology also relied on a “slippery slope” argument, including a concern that foreign companies would fill the breach and provide encryption not vulnerable to edicts by American law enforcement.[143] The prominence of the U.S. market in the global economy makes such a scenario unlikely, because any entity that legitimately seeks to do business in this country would need to comply with its laws, regardless of where that company is situated.

Another group argued that some companies would choose not to include robust security in their products due to the fear of potential future costs of being ordered by a court to bypass the protections.[144] This argument ignores market dynamics because there are hundreds of millions of iPhonesin use and the cases of lawful warrants to search them are almost infinitesimal - less than .001%, or one out of 100,000 (a total of roughly 1000 cases out of over 100 million users). The same group took political correctness and self-actualization to a new level by arguing the order undermined Apple’s ability to fulfill its human rights responsibilities and impinged upon Apple’s preferences “about the kind of corporation it is aspires to be.”[145]

Finally, one outlier claimed the order violated the Thirteenth Amendment which protects an individual’s right to be free from involuntary servitude.[146]

At the end of the day, none of the arguments presented by the government, Apple, or their numerous amici were legally evaluated by the court. While this analysis provides some predictions of how case law would likely be applied, the more compelling policy questions linger unresolved.

[103]Brief for Federal Law Enforcement Officers Association, Association of Prosecuting Attorneys, and National Sheriffs’ Association, as Amici Curiae Supporting the United States Government (March 3, 2016), at 4.

Developing a strategy for cyber conflict

Introduction

History teaches the importance of developing the right strategy to adapt to a changing situation on the world stage. At the dawn of the last century, a significant shift in the global balance of power began to emerge. Germany’s power was rising, but it still faced significant rivals on both her Eastern and Western borders. The Schlieffen Plan was developed as a strategy to meet this challenge and was put to the test in World War I. The strategy called for Germany to leverage its military and infrastructure strengths to rapidly mobilize and concentrate forces to quickly defeat the French army on one front before shifting east to face the Russians. The strategy failed and the results were catastrophic. Almost ten million soldiers died in that war, far exceeding any conflict to date, and the unresolved struggle soon led to another war, which was even more devastating.

Now, in the early 21st century, the United States is the sole global superpower, but new concerns require non-linear extrapolation to develop a strategy to overcome current and future adversaries. In particular, the emergence of the cyberspace domain presents unprecedented opportunities and challenges for national security. Nations around the world have begun to recognize the significance of this dynamic, but the United States has the most at stake due to its premier position. With this in mind, U.S. Cyber Command is in the process of training and deploying a cyber force. But to optimize that force, the right strategy is needed.

This paper explores the question, “How do we develop the right force optimization strategy for cyber conflict?” It is important to invest time and effort to work through the concepts because the stakes are enormous. The first issue to address is the significance of conflict in cyberspace, not just as an aspect in the evolution of modern warfare, but as an integral element of today’s society and world. Within this context, optimal approaches for conducting cyber warfare are explored, including the best ways to posture and utilize the cyber force. Ultimately, a risk management approach is proposed to allow for leverage against many unknown factors. In the absence of hard-earned lessons learned through full-scale conflicts, simulation, exercises, and war games become the vital ingredients for developing successful strategies. But these tools can only go so far—the objective strategy may require a significant restructuring and rebalancing effort. The scale of the change seems daunting, but as cyber conflict transcends military conflict, the change should be dealt with in a revolutionary manner that does not underestimate the growing importance of cyberspace in global affairs.

What is Strategy?

Why bother to discuss strategy after the April 2015 publishing of the Department of Defense Cyber Strategy to guide the development of DoD’s cyber forces and strengthen its cyber defense and cyber deterrence posture? That document did an excellent job of describing the drivers behind the need for a strategy and articulated a set of five strategic goals and over a dozen detailed objectives. However, it is better characterized as a “strategic implementation plan” rather than a strategy itself. It is a good roadmap, but one based on the assumption of a known objective end state. Alternatively, this paper calls for an examination of underlying premises because even the best map cannot be used to chart a path if one is not yet sure of the ultimate destination or method of travel.

Developing a Strategy is the art of balancing Ends, Ways, and Means against Risks. Ends are the objectives (what is to be achieved), Ways are the courses of action or methods (how and when are the available tools used to get the job done), and Means are the resources (what tools are to be acquired and used). Assessing Risk involves recognizing the Strengths and Weaknesses and the Opportunities and Threats presented by the environment and the actors. Unfortunately, U.S. leaders sometimes overlook the importance of using this model to develop optimal strategies. Instead, over-reliance on superior technology and greater resources is seen as the path to victory. When it comes to Cyber Strategy, these advantages are no longer determinative, and thus pressure is building for a more astute approach.

What is the significance of cyber conflict in modern warfare and society?

For much of human history, nations fought over control of territory. Fertile land, rich mineral deposits, navigable rivers, and safe harbors were the early prizes that eventually evolved into vital industrial and population centers. Land and sea forces were the predominant means to seize and maintain these objectives. As technology advanced, control of the airspace became an important contributor to determining the outcome of battle. Similarly, the automation of command and control mechanisms added the potential for actions in the cyberspace domain to affect conflicts between air, land, sea, and space forces. But cyber power now also offers a potential approach to conflict independent of military engagement in the traditional air, land, maritime, and space domains.

Where will the most significant struggles play out for dominance in the cyberspace domain?

Virtually all modern battlefield weapon systems have some connection to cyberspace. This means existing arsenals of air, land, and naval weapons themselves represent potential direct targets in cyber conflict at the tactical level. Similarly, administrative, logistical, and other support networks essential to conducting military operations are reliant on cyberspace and therefore are potentially vulnerable to cyber attacks as part of theater-wide campaigns. Finally, critical civilian national infrastructures that provide the foundations for military force projection now also have cyber vulnerabilities that can be exploited at the strategic level. Thus, cyberspace operations must take place at the tactical, operational, and strategic levels of conflict.

The ability for cyber power to be applied across all levels of war has led several strategists to consider the development of airpower as an analogy. Aircraft offer a similar range of options, starting with air-to-air or air-to-ground engagements (e.g., dogfights, tank plinking), moving up to targeting military installations (e.g., airfields, logistics depots), and finally to directly disrupting strategic infrastructures (e.g., petroleum-oil-lubricants and ball bearing plants). As airpower developed, significant debate ensued as to where along this spectrum it would be most effective. Even after more than 100 years of using airpower, the debate continues. A similar debate has begun on the application of cyber power. However, instead of expecting a definitive answer, the lesson to be applied from the airpower analogy is that we must be prepared to use cyber power across each level of war from the tactical to strategic.

The cyberspace domain is more than the newest realm for extending traditional military conflict to achieve military ends. The pervasive nature of cyberspace in modern society has led to challenges beyond those that typically fall within the purview of a military force. First, the age-old struggle between the concepts of freedom of information/transparency versus personal privacy has been amplified significantly through the emergence of cyberspace. Second, the entire global economy is increasingly intermeshed with cyberspace, and the competition for information advantage has become an essential ingredient of private sector profitability. The cyberspace domain has become an integral part of modernity. Given this unique dynamic, the airpower analogy falls short when trying to extend lessons beyond the military dimension. Instead, we must look to other models.

Deterrence and Cyber Conflict

The theory of deterrence, which is as old as war itself, has been applied with varying degrees of success to avoid conflict entirely or discourage use of particular weapons and attack techniques. During the Cold War, much thought went into nuclear deterrence theory in an attempt to grapple with the extreme consequences of atomic weapons. The “Wizards of Armageddon” developed concepts such as the strategic triad, massive retaliation, and mutually assured destruction, which became part of national strategy.

The potential to apply deterrence to cyber conflict has garnered interest, and “deterrence of cyberattacks” is discussed in the DoD Cyber Strategy. However, much work remains to be done, starting with determining what goal is really being sought. Is this a version of “cyber arms control” or “de-escalation?” Or does the United States seek to retain freedom of action to use cyber power as it deems necessary while restricting any potential adversary’s range of options? Answering these questions requires first figuring out our strategic concept for the use of cyber power.

Additionally, deterrence requires predictable actors whose decisions can be influenced through the right combination of words and deeds targeted to affect their interests. This is particularly challenging for future cyber conflict, which may include unpredictable and radical non-state actors, some of which remain unidentified, while others may not yet exist. Thus, discussion of cyber deterrence should be pursued within the context of developing an overarching strategy for cyber conflict – the optimal mix of “ends,” “ways,” and “means.”

What will the primary nature of future cyberspace struggles involve? What are the “Ends” we should strive to achieve?

Military. As noted above, conflict in cyberspace can have multiple dimensions. First, there is the application of cyber operations as a component of military power to enable, supplement, or replace use of other capabilities. This can be done through either force-on-force attacks or by directly attacking other military targets. As cyber weapons mature and proliferate, these types of attacks will likely become a standard part of military conflicts. Providing information assurance for conventional weapon platforms will be as vital as providing an air defense umbrella for land and sea forces and rear areas. The ability to disrupt an adversary’s weapon platforms through cyber-attack will also be a valuable tool, but possibly less vital in most cases due to the availability of existing kinetic options to service the same potential targets. Cyber-attack options will be most valuable when political considerations constrain the use of traditional military force. Although the application of cyber power can lead to casualties and physical destruction, there is also the potential to launch attacks whose effects are intentionally limited to being non-kinetic, temporary, reversible, or all three, and that may be more suitable for the early stages of an international crisis. On the other end of the scale, military cyber-attacks may provide the only feasible means to penetrate hard targets without paying too high a price in terms of friendly force attrition against heightened physical defenses. However, to date, no direct cyber casualties have been recorded.

Intelligence/Counterintelligence. While cyber power will grow to be a significant complement to kinetic force application during military conflict, it will have even greater roles in other areas as evidenced by recent events. Cyber capabilities have already radically altered the landscape for intelligence and counterintelligence. The amount of digitized information far exceeds what has previously been available, and the center of gravity for the intelligence world has already shifted to the cyberspace domain. If a nation wishes to keep its secrets, it must first provide adequate security for its networks. A single insider with wide network access can wreak havoc, as has been demonstrated on more than one occasion (e.g., Snowden, Manning). On the other end of the spectrum, a determined power can develop remote accesses that lead to transfers of valuable information on an unprecedented scale. In 2012, General Keith Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command, described the loss of industrial information and intellectual property through cyber espionage as the “greatest transfer of wealth in history.” Thus, conventional weapon platforms may still dominate current and future military conflicts, but the tide has already turned in the world of espionage and the role of cyber power within it.

Homeland Security. Homeland security is another area of which cyber power has become a crucial component. Critical civilian infrastructures in sectors such as power, transportation, banking, and communications increasingly rely on cyberspace components. The increased efficiency of the advances has benefited society, but it comes with a price that has not yet been fully realized. A whole new class of vulnerabilities exists, which requires attention beyond the physical protective measures we have traditionally relied on to remain secure. Further, unlike in the physical world, the potential to exploit those vulnerabilities is not limited to those actors in close proximity to the facilities. This is a particularly irksome challenge for the United States to face after having enjoyed the buffer of its oceans for two centuries. Hostile actors from anywhere across the planet now represent a direct potential threat. Such actors may have no affiliation with foreign militaries or intelligence services. They may not even be part of any recognized terrorist organization and could remain “under the radar” from the perspective of traditional geopolitical security interests.

Law Enforcement. On a day-to-day basis, law enforcement is the one area that has been affected by the cyberspace domain even more notably than espionage or homeland security. The vast majority of cybersecurity incidents are not traced back to foreign military forces, intelligence agents, or terrorists—they are simple criminal acts, often committed by low-level perpetrators, including some who may not even have malign intentions. Hackers are everywhere today, ranging from the teenage lone-wolf script kiddies in competition for bragging rights to international criminal syndicates organizing multimillion-dollar embezzlement schemes. This ubiquitous challenge is complicated by the fact that the technical signatures of malicious cyber activity are often hard to distinguish when first detected (if they are detected at all). This means that activity appearing to be a criminal breach may ultimately be traced to state-sponsored action with political or military motives. While national security concerns continue to grow, the predominant cyber threat to guard against today remains criminal activity, which now costs the global economy over $400 billion per year.

Regulation. The final area for consideration is the most mundane and most removed from the high-adrenalin crisis-oriented world of military conflict. In fact, the greatest risks and destructive impacts within the cyberspace domain to date have been crises that neither the military nor homeland security or law enforcement forces could prevent. Instead, the greatest damage has been due to inadvertent technical failures, which are more akin to acts of nature and natural disasters than acts of a determined adversary. These threats are best addressed by regulation and safety measures. The most prominent example was the self-inflicted wound of “Y2K” and subsequent remediation, which cost over $300 billion worldwide. Industry generally riles against government regulation of cyberspace, but as the risks to public safety grow, the role of regulation and oversight will inevitably increase. Cybersecurity managers will eventually find solace in regulations that help to define standards of due care considered by the courts to determine liability with some predictability. The traffic safety model offers an analogy of where things may be headed in cyberspace. Before the automobile, anyone with the physical ability and resources could ride a horse with little interference from the government. As the automobile became prevalent, an entire regulatory scheme and supporting infrastructure evolved to ensure safe transit (speed limits, traffic lights, highway guard-rails, vehicle registration, license plates, driver’s licenses, mandatory insurance, etc.). Unfettered access by any and all to the “information super-highway” may soon become a risk society can no longer afford. How to manage that risk through optimal regulatory means and enforcement mechanisms may be the most daunting cyberspace challenge faced by the government.

What are the optimal organizational approaches (i.e., the “Means”) to help achieve and maintain dominance in cyberspace?

While some conflicts between nations consist primarily of military contests, it is clear that the struggle for dominance in cyberspace involves multiple axes of effort as noted above. Given the widely varied nature of the threats faced in the cyberspace domain, the question of how to best posture our capabilities becomes crucial. Defending the network on one day may mean blocking hostile attempts to overload a system with denial of service traffic, but on the next day, it could require enforcing maintenance of a firewall standard on a private company’s server. It could involve discovering and countering malware implanted in critical platforms, or strikes against the source of such attacks to cut off their command and control. Cyber threats continue to evolve and escalate at a pace beyond what we are used to in the physical domain. The struggle for dominance in cyberspace will require a versatile force that can operate within and across the variety of challenges found in the military, homeland security, intelligence, law enforcement, and regulatory realms.

Can existing structures be adapted to meet the new challenges? Currently, the bulk of the U.S. Government’s cyber resources reside within the Department of Defense (DoD), including the National Security Agency, U.S. Cyber Command and Cyber Command’s Service Components. The Federal Bureau of Investigation, the Central Intelligence Agency, and Department of Homeland Security (DHS) also have key roles. However, none of these elements have the complete range of authorities and capabilities to deal with the full scope of the challenge. The Commander of U.S. Cyber Command, Admiral Mike Rogers, recognized this reality when he described cyber as “the ultimate team sport” because no one organization has all the answers or the capability to solve all problems.

Bolstering any one of the existing elements, a combination of them, or even all of them will still fail to address the seams and inherent frictions of interagency bureaucracy. But there is no need to accept the status quo and rely on virtual “pick-up” teams drawn from across a sprawling network of independent agencies. Instead of trying to wedge cyberspace into the existing apparatus, a new model should be explored. Cyberspace presents many new and unique challenges, but this is not the first time that the nation has had to struggle with problems that do not present themselves neatly within current frameworks. Organizations such as the United States Coast Guard, the Merchant Marine, and the Public Health Service provide useful models that could be templates for building a cyber force to address all of the nation’s concerns. Those organizations were formed to fill crucial gaps that once existed, and they continue to provide unique services today.

The Coast Guard is a uniformed, armed military service that resides within the Department of Homeland Security during times of peace, but can operate under the Department of Defense when war is declared, or by direction of the President. Its missions fall within the categories of maritime safety, security, and stewardship. The Coast Guard is the pre-eminent law enforcement authority within its domain. In addition to securing waterways against intrusion by unauthorized personnel or materials, the Coast Guard develops and enforces vessel construction standards and domestic shipping and navigation regulations. To ensure compliance, it reviews and approves plans for ship construction, repair, and alteration, and it routinely inspects vessels, mobile offshore drilling units, and marine facilities for safety. Finally, the Coast Guard provides aids to navigation and search and rescue services that are welcome by all legitimate mariners. Unlike any other military force, the Coast Guard has a pervasive domestic presence, interacting in an authoritative manner on a day-to-day basis with civilians operating in their domain. The public not only accepts the Coast Guard’s role, but generally embraces and depends on it as a valued partner in maritime pursuits. The cyber force of the future should have a similar ability to transition smoothly from regulatory, to law enforcement, to security functions, adapting to different challenges as they present themselves. Strong relationships with the private sector are likewise essential, because the primary domain for conflict is not a remote battlefield across the globe, but the server farms and databases of companies forming the backbone of the new digital economy. A future “U.S. Cyber Guard” (or an independent “Cyber Agency” or a new cabinet-level “Cyber Department”) could be postured to directly repel attacks on critical infrastructures, aid the private sector and government in remediation efforts or resiliency measures, and help set and enforce day-to-day standards in cybersecurity for issues that impact the nation’s security. The Coast Guard model deserves careful study because, despite the pressing need, the public is not inclined to endorse DoD or the Intelligence Community with the broad responsibilities needed for true effectiveness in cyberspace. Thus, a new organization outside of those elements is needed at the Agency or Department level—independent, yet interdependent. Regardless of what it is called, the new organization must have mixed authorities and responsibilities for cyberspace in a manner similar to those the Coast Guard has in the maritime domain.

Two other important organizations that offer lessons learned are the Merchant Marine and the U.S. Public Health Service. These organizations are relatively minor components of the Federal Government today, but they have rich histories going back to the early days of the United States. They were established outside of the predominant organizations to perform vital niche functions that contribute to national and homeland security. On one end of the spectrum, the U.S. Public Health Service is a small cadre of experienced medical personnel who are commissioned as officers and distributed to serve across numerous federal organizations. Taking the opposite approach, today’s federal component of the Merchant Marine exists only in the form of a training academy that teaches new mariners, who can then work as civilians manning vessels. Following one of these models, a “U.S. Cyber Academy” could be established to train the finest network security engineers, who would then fulfill their federal obligations by serving in key cybersecurity positions for the private sector. In the other model, a “U.S. Cyber Hygiene Service” could be created to manage a cadre of operations experts who would be assigned to work within each federal department to fill key cybersecurity roles.

Merchant Marine – a Model for Integrated Government and Private Sector Cyber Partners

The United States Merchant Marine is a fleet of over 400 U.S.-registered, privately owned civilian merchant vessels that carries imports and exports during peacetime, and that can become a naval auxiliary during wartime to deliver troops and war materiel. The Merchant Marine is complemented by the National Defense Reserve Fleet, which consists of “mothballed” ships that can be activated during national emergencies, either military or non-military, such as commercial shipping crises.

Merchant mariners move cargo and passengers between nations and within the United States, and they operate deep-sea merchant ships, tugboats, towboats, ferries, dredges, excursion vessels, charter boats, and other waterborne craft on the oceans, the Great Lakes, rivers, canals, harbors, and other waterways.

During World War II, the U.S. Government controlled the cargo and the destinations, contracted with private companies to operate the ships, put guns and armed Navy personnel on board. The U.S. Maritime Service trained the men to operate the ships and assist in manning the guns. Over 240,000 served, and they suffered one of the highest casualty rates of any Service in the war. Today, the uniformed Merchant Maritime Service exists only at the U. S. Merchant Marine Academy, a federal service academy that educates licensed Merchant Marine officers who serve U.S. marine transportation and defense needs in peacetime and war. Graduates are obligated to serve aboard vessels or be commissioned as officers in the military or National Oceanic and Atmospheric Administration Corps.

A cyber equivalent of the Merchant Marine could involve a range of options. To mirror its current form, a U.S. Cyber Academy would provide trained cyber experts who would populate private cybersecurity firms upon graduation, but they would have reserve commissions and be on tap for recall in the event of crises. On the far extreme, significant investments could be made in a dual-purpose cyber infrastructure that would not only aid in commerce but also bolster resiliency and be subject to direct government re-purposing in the event of national need.

U.S. Public Health Service (USPHS) – a Template for National Cyber Hygiene?

The USPHS consists of a uniformed commissioned corps of 6,500 public health professionals who serve within federal agencies such as the National Institutes of Health and the Centers for Disease Control and Prevention. The USPHS provides rapid and effective response to public health needs, leadership in public health practices, and advancement of public health science. USPHS traces its beginnings back to the U.S. Marine Hospital Service, which protected against the spread of disease from sailors returning from foreign ports and screened the health of immigrants entering the country. Today, USPHS officers are involved in health care delivery to underserved and vulnerable populations, disease control and prevention, biomedical research, food and drug regulation, mental health and drug abuse services, and response efforts to natural and man-made disasters as an essential component of the largest public health program in the world.

A cyber equivalent of the USPHS would consist of a new uniformed Cyber Service, separate from the Army, Navy, Air Force, and Marines. Just as when the Air Force was formed, this does not mean every cyber operator would need to be pulled from his or her current home. Instead, the Cyber Service could be a small cadre that focuses on only advanced offensive or defensive cyber operations—and like current USPHS professionals, they could be embedded within other elements of government to aid those organizations.

None of these examples are sufficient to serve as complete solutions, but they highlight the potential for unconventional approaches. It is clear that cyberspace conflict is not just a military issue. A successful strategy begins with recognizing the scope of the problem, and posturing correctly to address the challenge. Whatever form it would take—U.S. Cyber Guard, U.S. Cyber Service, or U.S. Cyber Academy—it cannot be just another element of DoD. Beyond Title 10 warfighting responsibilities, strong law enforcement, regulatory, and intelligence authorities are also needed. A hybrid element bridging both DoD and DHS, like the Coast Guard, holds the most promise to handle the full range of issues.

What are the best “Ways” to strategically posture and operationally utilize the Cyber Mission Force?

Once the overarching challenges are addressed, there will still be a need for a military cyber force devoted to military missions. The U.S must first choose whether the cyber force currently under development should become the kernel of a new comprehensive solution or focus solely on the military mission. The former requires significant political advocacy for changes in authorities and organizational structures that are unlikely to materialize without an external catalyst (e.g., a “Cyber Pearl Harbor” or “Cyber 9/11”) to force new thinking. The latter means ceding ground on which most of today’s cyber conflicts and internal controversy resides, but it allows a focus on the military’s traditional spheres of expertise.

A force optimization strategy that confines the Cyber Mission Force to a military focus requires evaluating cyber weapons’ utility as a substitute for or complement to other military capabilities. The key question is whether cyber weapons provide “another arrow in the quiver” or a whole different method of conflict. Do cyber weapons simply provide another means to take out existing priority targets, or do they represent something entirely different—such as the next stage in the evolution of combined arms warfare?

Employing a combination of military techniques to leverage the strengths of particular weapon systems against the weakness of others is a mainstay of modern conflict. This approach, known as “combined arms” (originally conceived to involve infantry, mounted cavalry, and artillery), continues to evolve as technology brings new weapons to the battlefield. Today, military officers are still taught the critical importance of synchronizing attacks through different means to defeat adaptive adversaries.

When applied to airpower, combined arms meant that one could not rely solely on anti-aircraft artillery to defend airspace but also needed the ability to scramble fighters to intercept and engage in air-to-air combat with intruding bombers. In turn, the bombers were given fighter escorts to aid in penetration of enemy defenses.

At sea, a complex network of specialized vessels and aircraft has been developed, including attack submarines, frigates, destroyers, cruisers, and aircraft carriers. No fleet sails without the appropriate combination of these platforms to ensure capability against a range of threats.

Inclusion of cyber attack and defense in combined arms warfare will apply to land, sea, and air combat. Just as ground forces learned to consider their vulnerability to air strikes, all military forces must now become prepared for cyber attacks. Under this construct, future Army Divisions may each require their own cyber battalions, responsible for tactical offensive and defensive cyber maneuvers within their areas of operation. The same would be true of Navy, Air Force, and Marine equivalent forces.

An alternative way to envision cyber forces is as specialized strategic capabilities limited to certain extreme cases, in a manner such as chemical, biological, radiological, or nuclear weapons. These weapons, judged by society as particularly gruesome means of causing death and destruction, are generally reserved for dire circumstances. In most cases, their use is tightly controlled by treaty, agreement, or public policy. Unlike the combined arms model, which would lead to inclusion of cyberspace engagements in practically any and all conflicts, this method of employment would see offensive cyber power become highly restricted.

While cyber attacks may someday be viewed as similar to attacks by other weapons of mass effect, they do not currently carry such a stigma and are therefore relatively free of internationally recognized restrictions on battlefield employment. However, the fear of potential widespread secondary and cascading effects do bring significant political pressures to bear when using cyber power against civilian targets or other networks connected to the Internet. Therefore, cyber power may best be employed in a hybrid manner. The first method is on a tactical and operational level, in conjunction or integrated with other military forces, in a counter-force role to disrupt or otherwise defeat adversary military weapon systems and forces. The second method is on a strategic level, independently as a counter-value capability to directly affect an adversary’s national power through cyber attacks on civilian and economic centers of gravity.

There is another fundamental question beyond determining how cyber forces best fit in alongside and integrated with other military forces to achieve objectives. Within the cyberspace domain itself, the individualized tactics to achieve optimal effects remain a vital issue. Other weapon systems are limited by geography and many other physical constraints, but these do not apply in cyberspace. For example, there is no need to conserve firepower due to the logistical strains behind storage and transport of available rounds of ammunition. There are also no circles to be drawn on the map to depict the maximum effective range where targets can be held at risk before fuel or gravity holds sway. Additionally, there is no need to apportion the physical terrain as a means to avoid friendly fire and fratricide. Instead, the limiting variables are access to detailed intelligence, maintaining access on extremely dynamic networks, and perishability of exploits once specific attack mechanisms become public or after first use.

Within these new constraints, the most effective means to employ cyber power will likely vary because of the fluid nature of the domain. However, certain techniques may be worth using as the default. For example, a basic question is whether it is more effective to concentrate firepower or distribute it. The “deep and narrow” approach and the “shallow and wide” approach (e.g., precision-guided weapons versus carpet bombing) each has its benefits and detriments in different scenarios.

Similarly, one must consider whether to apply “strength versus strength,” or is it better to use one’s strongest force to exploit weaknesses in an adversary’s defense? Sun Tzu wrestled with these questions 2,500 years ago, and his sage advice stood the test of time in the physical domain, but it may or may not translate well to the virtual world.

Another consideration is the sequencing of attacks. Should cyber power be held in reserve for the turning points in battle, or can it be best used as the preliminary strike? Or should it be applied as a constant unrelenting barrage throughout an engagement?

Some answers are known already. For example, the classic “3:1” ratio of forces needed for offense to defense, developed as a gauge for ground combat, is clearly not applicable in the cyberspace domain. But other warfighting principles and techniques, from the basic through the advanced, remain to be discovered. For example, what is the cyberspace equivalent of the “Immelmann” air maneuver that came out of World War I dogfighting, or the “Crazy Ivan” developed by Cold War submariners?

Defensive strategies must also be further developed. For example, when should fixed-point fortifications be relied on versus mobile defensive countermeasures? These and many other combat strategies cannot be relied on using a default solution based on the first idea presented or the program that is cheapest or quickest to implement. Instead, dedicated and concentrated effort must be applied to development of cyberspace strategies and techniques, as was done in other realms of conflict. Many modern battle techniques have emerged from Service War Colleges and Command and Staff schools.

While it is too early to determine the optimal strategic, operational, and tactical employment of cyberspace forces, we do not need to wait until after a major conflict to find the answers. Instead, a robust simulation, war game, and exercise program should be pursued as the primary line of effort. Sun Tzu’s ancient prescription to “know your enemy, know yourself, and in 100 battles you will not be defeated” must be adapted to the virtual test range. Even though a particular technique or formation may appear to be working, the alternatives must be considered until every feasible angle is investigated. While it is true that exercises, simulations, and war games do have a role in today’s military, they are often seen as a drain on resources away from the day-to-day operational mission. This dynamic needs to be reversed for cyberspace to ensure the right investments for the future.

Conflict in the cyberspace domain does not benefit from the natural evolution mankind experienced in the physical domain. We are used to judging distance and speed by eye and can readily apply such lessons. Similarly, hundreds of years of experience in structural engineering yields, as a byproduct, the ability to calculate the destructive effects of explosives against facilities. In comparing the domains, even our most advanced cyberspace practitioners are still novices when it comes to fully understanding the terrain and methods of maneuver. The potential risks and rewards are too great to wait to learn these lessons the hard way—in the course of battle. Therefore, while simulation, war games, and exercises are part of every military mission, they must play an even more extensive role for cyber conflict.

Instead of selecting a particular strategy now and pursuing it straight away, a sizable portion of the cyber force should be devoted to developing the path ahead. For much of the Cold War, a majority of military forces focused on getting ready for a battle they fortunately never fought. A return to this type of model may be prudent for cyber forces, filling the calendar with a variety of realistic exercises and virtual force-on-force simulations. Strategic Air Command was the pinnacle of this approach, being well-known (one could say almost “infamous”) for its rigorous exercise, training, and evaluation program to support readiness. The procedures for nuclear conflict had been finely honed, but painstaking practice was needed to ensure precise execution of the plan if called upon. The current state of cyber conflict requires a similar level of intense effort, far beyond the current level of commitment to exercises and training.

Cyber teams should be developed along different conceptual approaches and tested against each other—again, and again, and again. It may seem counterintuitive to take troops “off the line” when cyber incidents are occurring on a daily basis, but the long-term risk must be balanced against that of the present day. When the time comes to execute a major cyber conflict, we can ill afford to be surprised by major developments.

Conclusion

While the United States currently enjoys military superiority across the globe, developing the right strategy for cyberspace operations can mean the difference between victory and defeat in future conflicts. In the early 1600s, a tiny nation rose to pre-eminence in global affairs. The Dutch Gilded Age saw a transformation of the Netherlands from a minor possession of the decaying Holy Roman Empire into the world’s foremost maritime and economic power. The Dutch East India Company was at the heart of the “Dutch Miracle”—it was the world’s first multinational corporation financed by the first modern stock exchange. The story is relevant today because it is essentially a tale of new technologies and new organizational concepts being combined in a game-changing strategy, altering the global balance of power. Such stories are inspiring to some, but are potentially foreboding for the United States today.

The 21st century is no longer a time for business as usual when considering the shifting balance of power in cyberspace. Today, the United States, Russia, and China dominate, but tomorrow it could be smaller but highly advanced technical powers such as Israel, Japan, and Singapore that take the fore. Alternatively, the very essence of national power may be redefined as super-empowered individuals and international non-state actors such as the Islamic State in Iraq and Syria (ISIS), Anonymous, and Google seize the initiative in a rapidly evolving landscape…as the Dutch did 400 years ago.

Without a crystal ball, it is impossible to know what the right strategy is. But we do know that the wrong strategy can lead to disaster. It is necessary to adapt to the changing situation readily apparent across the spectrum of day-to-day affairs. Today’s environment requires a non-linear extrapolation. The best swordsmen of their day, with the most training and finest steel, could not stem the tide of firearms and explosives. Now is not the time to just keep sharpening the sword. But it is also not the time to throw down the sword and take up an entirely new type of arsenal. Instead, a risk-management approach to balance the right ends, ways, and means of strategy demands spreading efforts across the range of potential outcomes to guard against both likely and unforeseen contingencies.

Rather than waiting for the aftermath of a major cyber conflict to show the way, a robust simulation and exercise program must explore a range of alternatives. This will require some sacrifice of readiness to execute current missions, but it is an investment in the future to avoid outcomes with the potential for much greater harm. The answers cannot be constrained to existing paradigms, so an important part of the future investment is to establish an organization free of ties to legacy structures and policies. DoD and U.S. Cyber Command should lead the charge in calling for a new organization to be their vital partner in developing the optimal cyberspace strategy for the nation. While U.S. Cyber Command focuses on its military role, another non-DoD element will be able to transcend the military, intelligence, law enforcement, and regulatory functions. Even while the Cyber Mission Force is still being fleshed out, it is time to raise the flag of the “United States Cyber Guard.”

David and Goliath

The story of David and Goliath is well known as a classic example of the improbable victory of an underdog over a more powerful foe. The author Malcom Gladwell, whose works focus on unexpected implications of social science research, recently published a book which concludes that giants are sometimes not as powerful as they seem, and history is replete with examples of unexpected outcomes of this nature.

Gladwell suggested the hidden weakness of “Goliath” enterprises is their tendency to assume that the strategy that made them great will keep them great. The Goliath story shows that someone perceived as an underdog may actually have an advantage by employing an alternate strategy.

Favoring the underdog is a part of American tradition, but when it comes to cyber conflict, the United States is the “Goliath” of the tale. The February 2015 National Security Strategy states, “We possess a military whose might, technology, and geostrategic reach is unrivaled in human history.” From our 21st century telecommunications infrastructure and $13 trillion economy to our $600 billion DoD budget (which represents more than one-third of the entire global market), and seemingly omnipresent Intelligence Community, the United States rests atop a perch as the world’s sole superpower. But many are actively seeking to change the status quo, and a range of potential new foes is on the horizon. Developing the right strategy for cyber conflict is crucial because the United States cannot continue to rely on its size and strength to defeat future “cyber-Davids.”